3 Replies Latest reply on May 25, 2020 6:54 AM by daphnissov

    Unable to setup passwordless ssh to esx node

    mahmn Novice

      May I know why I can not do a passwordless ssh to an ESXI node?

       

      [mahmood@hpc ~]$ ssh-keygen

      Generating public/private rsa key pair.

      Enter file in which to save the key (/home/mahmood/.ssh/id_rsa):

      Enter passphrase (empty for no passphrase):

      Enter same passphrase again:

      Your identification has been saved in /home/mahmood/.ssh/id_rsa.

      Your public key has been saved in /home/mahmood/.ssh/id_rsa.pub.

      The key fingerprint is:

      SHA256:WlIY5cI9vrxfN3Wh0jyyyl9YM73Y+IwlVQkYD/AzPuA mahmood@hpc.scu.ac.ir

      The key's randomart image is:

      +---[RSA 2048]----+

      |      .....oo.   |

      |     . =  ..o . .|

      |      + =. + . o.|

      |       +..o = o o|

      |      . SE = O oo|

      |       = .  B O.o|

      |      . o  o.=o+ |

      |        ......*. |

      |        .+o. . o |

      +----[SHA256]-----+

      [mahmood@hpc ~]$ ssh-copy-id root@10.1.1.101

      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mahmood/.ssh/id_rsa.pub"

      /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

      /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

      Password:

      Warning: untrusted X11 forwarding setup failed: xauth key data not generated

       

      Number of key(s) added: 1

       

      Now try logging into the machine, with:   "ssh 'root@10.1.1.101'"

      and check to make sure that only the key(s) you wanted were added.

       

      [mahmood@hpc ~]$ ssh root@10.1.1.101

      Password:

      Warning: untrusted X11 forwarding setup failed: xauth key data not generated

      The time and date of this login have been sent to the system logs.

       

      WARNING:

         All commands run on the ESXi shell are logged and may be included in

         support bundles. Do not provide passwords directly on the command line.

         Most tools can prompt for secrets or accept them from standard input.

       

      VMware offers supported, powerful system administration tools.  Please

      see www.vmware.com/go/sysadmintools for details.

       

      The ESXi Shell can be disabled by an administrative user. See the

      vSphere Security documentation for more information.

      [root@localhost:~]

      [root@localhost:~] ls -l .ssh/

      total 4

      -rw-------    1 root     root           403 May 23 15:25 authorized_keys

       

       

      Any idea about that?

        • 1. Re: Unable to setup passwordless ssh to esx node
          daphnissov Guru
          vExpertCommunity Warriors

          ESXi is not Linux and private key auth doesn't work the same way. Please read: https://kb.vmware.com/s/article/1002866

          • 2. Re: Unable to setup passwordless ssh to esx node
            mahmn Novice

            I think I did it in the same way as the document you mentioned. I have stored the public key on the esxi node

             

            ESXi

            [root@localhost:~] cat .ssh/authorized_keys

            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrXLNmnMu4nYQYi+EFVEQcfFOt7OB2x6iOYVzhnf2d2DEbTNfnVQ7OoO9naDN9ESrSdqPMwXNf2BxzexXTMBsOd/2n9qy9vLPkRC2DBrOEHf0BdQTVClOiYFL/C9DNAqTG8RTTsjb/uLxY1Yr97kVM3GcQqO1yaIQIyRgmfu0zsHaJRnUXUgQ1PRudBcxHD4nqBXgU2M9aOBQ6AHUnIbkZiuY+VxX6m4UFhVm23qD1gVnJmKPcseLnkDKV+/TGhAeBhbYTxViyHnsflUUzdwnXE0u/6S/9U7+K8EXq+xHA6ev2kY6wRPnEjVcrek97B mahmood@XXXXXX

             

            My local machine

            [mahmood@hpc ~]$ ls .ssh

            id_rsa  id_rsa.pub  known_hosts

            [mahmood@hpc ~]$ cat .ssh/id_rsa.pub

            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrXLNmnMu4nYQYi+EFVEQcfFOt7OB2x6iOYVzhnf2d2DEbTNfnVQ7OoO9naDN9ESrSdqPMwXNf2BxzexXTMBsOd/2n9qy9vLPkRC2DBrOEHf0BdQTVClOiYFL/C9DNAqTG8RTTsjb/uLxY1Yr97kVM3GcQqO1yaIQIyRgmfu0zsHaJRnUXUgQ1PRudBcxHD4nqBXgU2M9aOBQ6AHUnIbkZiuY+VxX6m4UFhVm23qD1gVnJmKPcseLnkDKV+/TGhAeBhbYTxViyHnsflUUzdwnXE0u/6S/9U7+K8EXq+xHA6ev2kY6wRPnEjVcrek97B mahmood@XXXXXX

             

             

            Apart from that, after I set ChallengeResponseAuthentication to no in sshd_config, I am no longer to able to ssh to the esxi node

             

            [root@localhost:~] grep PermitRootLogin /etc/ssh/sshd_config

            PermitRootLogin yes

            [root@localhost:~] grep ChallengeResponseAuthentication /etc/ssh/sshd_config

            ChallengeResponseAuthentication  no

            [root@localhost:~] grep PasswordAuthentication /etc/ssh/sshd_config

            PasswordAuthentication no

            [root@localhost:~] /etc/init.d/SSH restart

            SSH login disabled

            SSH login enabled

            [root@localhost:~] exit

            Connection to 10.1.1.101 closed.

            [mahmood@hpc ~]$ ssh root@10.1.1.101

            Permission denied (publickey).

             

             

            That means at this point I am not able to login to the esxi node even with password.

            Is there any way from web interface of the esxi node to enable *at least* password based ssh?

            • 3. Re: Unable to setup passwordless ssh to esx node
              daphnissov Guru
              Community WarriorsvExpert

              No, you didn't.:

               

              For ESXi 5.x, 6.0, 6.5 and 6.7, the authorized_keys is located at: /etc/ssh/keys-<username>/authorized_keys